Page 1 of 2

OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/04 12:09:45
by amrajkamal
Hi Team,

I came to know CENTOS 5 will be supported till 2017.
But, CENTOS comes with an OpenSSL version of 0.9.8 which has an EOL by December 2015.

Want to know how CENTOS will support for security fixes for OpenSSL 0.9.8 (for vulnerabilities) on CENTOS 5.X post December 2015 (i.e for almost 2 more years).

Awaiting your inputs/answers.

Best regards,
Raj Kamal.

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/04 14:17:45
by TrevorH
Redhat provide the support and backport fixes from newer versions. Same way that it works for all the other EOL packages in CentOS 5 (and 6 and 7!)

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/05 06:20:20
by amrajkamal
Hi,

Thank you for your prompt response.

My question was "OpenSSL.org" themselves doesn't support 0.9.8 post December 2015 @ https://www.openssl.org/blog/blog/2014/ ... -strategy/
"Back in October we announced the End Of Life of version 0.9.8. This version is currently only receiving security updates, and support will cease completely on 31st December 2015"

So, will Redhat/CentOS take the ownership of FIXING any new upcoming vulnerabilities post Dec' 2015?

Will REDHAT/CENTOS take the responsibility to find a solution and fix vulnerabilities, because there is nothing to BACKPORT from OpenSSL.org post Dec' 2015 for 0.9.8 version and continue supporting 0.9.8 RPM pacakge till 2017 for CentOS 5.X. (This was the intention behind my post)

Regards,
Murali.

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/05 10:41:24
by TrevorH
Redhat already have responsibilty for fixing the bugs in the copy we use. The current version of openssl 0.9.8 from the openssl website is 0.9.8ze and the version in CentOS 5 is openssl-0.9.8e-32.el5_11.x86_64 yet the latest entry in the rpm changelog is dated "* Wed Dec 17 2014 Tomas Mraz <tmraz at redhat.com> 0.9.8e-32"

Please read https://access.redhat.com/security/updates/backporting for more info about the policy that Redhat use.

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/05 12:28:09
by amrajkamal
Hi,

Thank you once again for the quick response.

I went through the link about "Backporting Security Fixes" posted below and understood the concept of "backporting" with the given example of RHEL 6 and PHP 5.3.

But, the example case above is subtly different from the case of OpenSSL, let me quote:

Say, in January 2016/2017, there comes an announcement about a vulnerability in OpenSSL 0.9.8 version, but not on 1.0.0 or higher (because of change in architecture of OpenSSL 1.0.0 or higher); At this point in time, OpenSSL wouldn't research to fix the issue, because 0.9.8 is EOL.
Now, does RHEL/CENTOS do the necessary research to FIX the issue of 0.9.8 (because there is no fix given by OpenSSL in 1.0.0 or higher to BACKPORT). This is the clarity I am looking for.

And the below link about "Backporting Security Fixes" talks only about issues/vulnerabilities that are "fixed/addressed in upstream"

Hope you got more clarity about my question.

Regards,
Murali Raj Kamal.

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/05 12:34:06
by TrevorH
The fix would be backported from a newer openssl release.

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/06 10:51:21
by amrajkamal
Hi,

Let me highlight my question:

Say, in January 2016/2017, there comes an announcement about a vulnerability in OpenSSL 0.9.8 version, but not on 1.0.0 or higher (because of change in architecture of OpenSSL 1.0.0 or higher);

At this point in time, OpenSSL WOULD NOT research to fix the issue, because 0.9.8 is EOL.

Now, does RHEL/CENTOS do the necessary research to FIX the issue of 0.9.8 (because there is NO FIX to BACKPORT given by OpenSSL in 1.0.0 or higher)

How does RHEL/CENTOS address above situation (of nothing to backport from a latest upstream version, because that vulnerability might not exist in latest version of OpenSSL)

Regards,
Murali.

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/06 12:52:40
by TrevorH
These questions would really need to be addressed to Redhat but I would expect them to fix it. CentOS does not fix things, it only repackages what Redhat provides to its customers. If you want the word straight from the horses mouth then you need to ask Redhat.

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/07 08:31:24
by gulikoza
The "whatever change in architecture" that fixes the problem for 1.0.0 or higher is then backported to 0.9.8 (or an individual fix that corrects the problem is developed)
Similar development can be seen in kernel fixes...2.6.18 and 2.6.32 (for EL6) are long not supported anymore, but any bugs are fixed by either backporting the functionality from newer kernels or developing a fix to mitigate the issue if backporting is not an option due to functionality changes.

edit: I stand corrected, 2.6.32 is actually still supported until mid-2015...but since a lot of features have also been backported from newer kernels, I'd assume Redhat needs to develop fixes independently and not use kernel.org's latest 2.6.32 releases...

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Posted: 2015/03/07 16:23:14
by AlanBartlett
gulikoza wrote:edit: I stand corrected, 2.6.32 is actually still supported until mid-2015...but since a lot of features have also been backported from newer kernels, I'd assume Redhat needs to develop fixes independently and not use kernel.org's latest 2.6.32 releases...
Correct. ;)